last sync: 2024-Oct-04 17:51:49 UTC

Azure Kubernetes Service RBAC Writer

Azure BuiltIn RBAC Role definition

NameAzure Kubernetes Service RBAC Writer
Ida7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb
DescriptionAllows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.
CreatedOn2020-07-02 17:54:51 UTC
UpdatedOn2023-04-24 15:06:51 UTC
History
Date/Time (UTC ymd) (i) Change Change detail
2023-04-25 17:42:26 change: DataActions DataActions: 'remove Microsoft.ContainerService/managedClusters/events/read; add Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read; add Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write; add Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete; add Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read; add Microsoft.ContainerService/managedClusters/events/*; add Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read; add Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read'
2022-10-13 16:34:55 change: Actions Actions: 'remove Microsoft.Insights/alertRules/*; remove Microsoft.Resources/deployments/write; remove Microsoft.Support/*'
2020-10-23 13:31:33 change: Description, Actions, DataActions, NotDataActions New Description: 'Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.'
Old Description: 'Lets you update everything in cluster/namespace, except resource quotas, namespaces, pod security policies, certificate signing requests, (cluster)roles and (cluster)role bindings.',
Actions: 'remove Microsoft.ContainerService/managedClusters/listClusterUserCredential/action',
DataActions: 'remove Microsoft.ContainerService/managedClusters/*/read; remove Microsoft.ContainerService/managedClusters/*/write; add Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read; add Microsoft.ContainerService/managedClusters/apps/daemonsets/*; add Microsoft.ContainerService/managedClusters/apps/deployments/*; add Microsoft.ContainerService/managedClusters/apps/replicasets/*; add Microsoft.ContainerService/managedClusters/apps/statefulsets/*; add Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*; add Microsoft.ContainerService/managedClusters/batch/cronjobs/*; add Microsoft.ContainerService/managedClusters/batch/jobs/*; add Microsoft.ContainerService/managedClusters/configmaps/*; add Microsoft.ContainerService/managedClusters/endpoints/*; add Microsoft.ContainerService/managedClusters/events.k8s.io/events/read; add Microsoft.ContainerService/managedClusters/events/read; add Microsoft.ContainerService/managedClusters/extensions/daemonsets/*; add Microsoft.ContainerService/managedClusters/extensions/deployments/*; add Microsoft.ContainerService/managedClusters/extensions/ingresses/*; add Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*; add Microsoft.ContainerService/managedClusters/extensions/replicasets/*; add Microsoft.ContainerService/managedClusters/limitranges/read; add Microsoft.ContainerService/managedClusters/namespaces/read; add Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*; add Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*; add Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*; add Microsoft.ContainerService/managedClusters/pods/*; add Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*; add Microsoft.ContainerService/managedClusters/replicationcontrollers/*; add Microsoft.ContainerService/managedClusters/replicationcontrollers/*; add Microsoft.ContainerService/managedClusters/resourcequotas/read; add Microsoft.ContainerService/managedClusters/secrets/*; add Microsoft.ContainerService/managedClusters/serviceaccounts/*; add Microsoft.ContainerService/managedClusters/services/*',
NotDataActions: 'remove Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/*/read; remove Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/*/write; remove Microsoft.ContainerService/managedClusters/namespaces/write; remove Microsoft.ContainerService/managedClusters/resourcequotas/write; remove Microsoft.ContainerService/managedClusters/certificates.k8s.io/certificatesigningrequests/write; remove Microsoft.ContainerService/managedClusters/policy/podsecuritypolicies/write'
2020-07-03 14:58:03 add: Role a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb
Permissions summary Effective control plane and data plane operations: 115 (unique operations)
•action: 2
•delete: 25
•read: 63
•write: 25

Actions: 4
Resolved control plane operations from Actions: 30
Effective control plane operations: 30
•read: 30

NotActions: 0
Resolved control plane operations from NotActions: 0
Effective denied control plane operations: 15767

DataActions: 35
Resolved data plane operations: 85
Effective data plane operations: 85
•action: 2
•delete: 25
•read: 33
•write: 25

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 3091
Actions
Operation Description
Microsoft.Authorization/*/readwildcarded / no description
Microsoft.Resources/subscriptions/operationresults/readGet the subscription operation results.
Microsoft.Resources/subscriptions/readGets the list of subscriptions.
Microsoft.Resources/subscriptions/resourceGroups/readGets or lists resource groups.
NotActions n/a
DataActions
Operation Description
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/readReads controllerrevisions
Microsoft.ContainerService/managedClusters/apps/daemonsets/*wildcarded / no description
Microsoft.ContainerService/managedClusters/apps/deployments/*wildcarded / no description
Microsoft.ContainerService/managedClusters/apps/replicasets/*wildcarded / no description
Microsoft.ContainerService/managedClusters/apps/statefulsets/*wildcarded / no description
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*wildcarded / no description
Microsoft.ContainerService/managedClusters/batch/cronjobs/*wildcarded / no description
Microsoft.ContainerService/managedClusters/batch/jobs/*wildcarded / no description
Microsoft.ContainerService/managedClusters/configmaps/*wildcarded / no description
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/deleteDeletes leases
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/readReads leases
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/writeWrites leases
Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/readReads endpointslices
Microsoft.ContainerService/managedClusters/endpoints/*wildcarded / no description
Microsoft.ContainerService/managedClusters/events.k8s.io/events/readReads events
Microsoft.ContainerService/managedClusters/events/*wildcarded / no description
Microsoft.ContainerService/managedClusters/extensions/daemonsets/*wildcarded / no description
Microsoft.ContainerService/managedClusters/extensions/deployments/*wildcarded / no description
Microsoft.ContainerService/managedClusters/extensions/ingresses/*wildcarded / no description
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*wildcarded / no description
Microsoft.ContainerService/managedClusters/extensions/replicasets/*wildcarded / no description
Microsoft.ContainerService/managedClusters/limitranges/readReads limitranges
Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/readReads nodes
Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/readReads pods
Microsoft.ContainerService/managedClusters/namespaces/readReads namespaces
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*wildcarded / no description
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*wildcarded / no description
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*wildcarded / no description
Microsoft.ContainerService/managedClusters/pods/*wildcarded / no description
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*wildcarded / no description
Microsoft.ContainerService/managedClusters/replicationcontrollers/*wildcarded / no description
Microsoft.ContainerService/managedClusters/resourcequotas/readReads resourcequotas
Microsoft.ContainerService/managedClusters/secrets/*wildcarded / no description
Microsoft.ContainerService/managedClusters/serviceaccounts/*wildcarded / no description
Microsoft.ContainerService/managedClusters/services/*wildcarded / no description
NotDataActions n/a
Used in
BuiltIn Policy
none
JSON
api-version=2023-07-01-preview
Condition none